Hi,

unfortunately replication conflicts for managed entries have additional difficulties. The origin and managed entries reference the "non-conflict" entry and teh managed entry plugin prevents the deletion of a managed entry via ldapmodify. To procede in cleanup you could try to remove the "mepManagedEntry" objectclass and "mepmanagedby" attribute and try again to delete the conflict entry


On 06/19/2017 06:38 PM, john.bowman--- via FreeIPA-users wrote:
Here is a specific example:

conflict entry:  dn: 
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld

Step 1:
$ ldapmodify -D "cn=directory manager" -w secret -p 389 -h ipa0.domain.tld
dn: 
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
changetype: modrdn
newrdn: cn=ipaservtemp
deleteoldrdn: 0
modifying rdn of entry 
"cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld"

Step 2:

$ ldapmodify -x -D "cn=directory manager" -w secret -p 389 -h ipa1.domain.tld
dn: cn=ipaservtemp,cn=hostgroups,cn=accounts,dc=domain,dc=tld
changetype: modify
delete: cn
cn: ipaservers

delete: nsds5ReplConflict

Step 3:
$ ldapmodify -x -D "cn=directory manager" -w secret -p 389 -h ipa1.domain.tld
dn: cn=ipaservtemp,cn=hostgroups,cn=accounts,dc=domain,dc=tld
changetype: modrdn
newrdn: cn=ipaservers
deleteoldrdn: 1
modifying rdn of entry 
"cn=ipaservtemp,cn=hostgroups,cn=accounts,dc=domain,dc=tld"

This produces the following error:
ldap_rename: Operations error (1)

When I check for the conflict its gone but on ipa1.domain.tld it gives me an 
error saying it can't find ipaservers:
$ ldapsearch -o ldif-wrap=no -ZZ -LLLx -h "ipa1.domain.tld" -D "cn=directory 
manager" -w secret -b cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=tld -s base
No such object (32)
Matched DN: cn=hostgroups,cn=accounts,dc=domain,dc=tld

But when I list all the hostgroups on that same server it does show up:
ldapsearch -o ldif-wrap=no -ZZ -LLLx -h "ipa1.domain.tld" -D "cn=directory 
manager" -w secret -b cn=hostgroups,cn=accounts,dc=domain,dc=tld | grep dn:
dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=tld
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to